b' NATIONAL ARCHIVES AND RECORDS \n\n     ADMINISTRATION (NARA) \n\n\n\n\n\n    Report on the 2008 Review ofNARA\'s \n\nCompliance with Section 522 of the Consolidated \n\n          Appropriations Act, 2005. \n\n(policies, Procedures & Practices for Protection of Personally \n\n                  Identifiable Information) \n\n\n\n                   Clifton Gunderson LLP \n\n                     September 24, 2008 \n\n\x0c                                                TABLE OF CONTENTS\n\n\n\n                                                                                                                                        PAGE \n\n\n\nTRANSMITTAL LETTER .................................................................................................................. 1 \n\n\n\n\nEXECUTIVE SUl\\I1MARy.................................................................................................................... 2 \n\n\n\n\nBACKGROUND ...................................................................................................................................... 3 \n\n\n\n\nSCOPE AND METHODOLOGy...................................................................................................... 4 \n\n\n\n\nDETAILED RESULTS OF REVIEW .............................................................................................. 7 \n\n\n\n\nAPPENDIX - MANAGEMENT\'S RESPONSE ......................................................................... 10 \n\n\x0cPaul Brachfeld\nInspector General\nOffice of the Inspector General\n8601 Adelphi Road,\nCollege Park, MD\n\nDear ~Ir. Brachfeld,\n\n\\"(!e are pleased to present our repOlt on the National Archives and Records Administration\'s\n(NARA) compliance with protection of personal data in an identifiable form. TIus review included\nassessing compliance with applicable federal security and privacy la\\,"s and regulations as \\vell as\nassessing the privacy and data protection procedures used by NARA as they relate to the guidelines\nset forth in Section 522-d of the Omnibus SPending Bill for TranspOftation. TreoS!1ry, Independent Agetlcies.\nand Gemral GmJe171mmt Approp,iatioJls Act of 2005. The objectiye of our review was to deternline\nwhether: (I) the necessity of using personally identifiable information for processing was properly\nevaluated; (2) the Archives had established adequate procedures governing the collection, use and\nsecurity of personally identifiable information; and (3) the Archives had properly complied \\,"ith the\nprescribed procedures to pre,"ent unauthorized access to and unintended use of personally\nidentifiable information.\n\n\\\'\\\'e interviewed key personnel involved in identifying and protecting personally identifiable\ninformation and reviewed documentation supporting NARA\'s efforts to comply with federal privacy\nand security laws and regulations.\n\nTIllS performance audit was conducted from July 2008 to August 2008 at the NARA Headquarters\nin College Park, Matyland and Arduves I in Washington, District of Columbia and was conducted in\naccordance .vith GeJJeI(J/~}\' Accepted GOl\'e1\'11l11ellt AuditiNg Standards.\n\n\\Ve appreciate the opportuni.ty to have served you once more and are grateful for the courtesy and\nhospitality extended to us by NARA. personnel. Please do not hesitate to call me at (301) 931\xc2\xb72050\nor email atgeorge.fallonrmcliftoncpa.comif you ha,-e questions.\n\n\\\'\\\'e have incorporated NARA management\'s response to this report as an appendix.\n\nSincerely,\n\n~~LLjJ\nCUFTON GUNDERSON LLP\nCalverton, )\'Iall"land\nSeptember 24, 2008\n\n\ntel .301-\')31--.\'050\ntas .301\xc2\xb7\'1.>1-1-10\nw\xc2\xb7ww.clif!011cpa.com                                        "snmglnn. DC\n\x0cEXECUTIVE SIJMl\\\'lARY\n\nThe NA~-\\\' Privacy Office or the Office of General Counsel has been proactive in carrying out its\nstatntmy responsibilities and its related role in ensuring compliance with Section 522 of the General\nGovernment Appropriations Act of 2005. Specitically, the Privacy OHice has established a\ntramewmk for identifying information systems containing m processing personally identifiable\ninfmmation (PH), securing data contained in these systems, conducting Princy Impact Assessments\n(PIA) and reporting Systems of Records Notices (SORt"Js), all required by the Act.\n\nBased on our review, NARA has (a) evaluated the necessity of using PH fm data processing; and (b)\nestablished procedures for the collection and H.se of PII. HO\\vever more \'vmk remains to be\naccomplished. Specifically, we noted the follo\\ving:\n\nThe NARA Privacy Office (OGC) ;md the Office ofInfonnation Senices (NH) has made\nsJ",.omlicant drort il1 carrying Ollt its statl/tory responsibiHties and its reL\'lted role iII ensurHlg\ncompliaIlce with Section 522 of the General GoverIlmeIlt Appropriations Act. However, we\nnoted policies and procedures as reqllired by Office of .M~aIlagement and Budget (OMB)\nMemor;mdllm 06-16 have Ilot been de\xc2\xb7veloped.\n\n);- No formalized policies and procedures are in place for Personally Identifiable Information\n    which: (1) explicitly identify the rules for determining whether physical removal is allowed; (2)\n    require the information be encrypted and that appropriate procedures, training and\n    accountability measures are in place to ensure that remote use of this encrypted intormation\n    does not result in bypassing the protections provided by the ennyption; (3) explicitly identify the\n    rules fm determining whether remote access is allowed for personally identifiable information\n    that can be removed; (4) require that the remote access be accomplished via a "irtnal pril:ate\n    network (VP).I) connection established using agency issued authentication certificate (s) or\n    hardware token, when remote access is allowed; (5) identify the rules for determining \\vhether\n    download or remote storage of the information is allmved, when remote access is allowed.\n\nNARA technical controls related to tbe protectiOII ofpersonaJ{y identi1i;lble information\nneed to be streIIgthened.\n\n);- Ennyption mechanisms are not in place on portable devices contaitlitlg privacy data such as\n    laptops, portable digital assistants (PDAs) or tlmmb dri\\"es leaving the ).lARA premises.\n);- Two factor authentication is not in place for remote access login.\n);- Risk assessments tor Badging and Access System (B&A) and Automated Collection\n    Management Database (IO/ACi\\ID) is outdated and has not been updated at least evelT three\n    years as required by federal mandates.\n\n\n\n\n                                                  2\n\n\x0cBACKGROUND\nThe Privacy Act of 1974 requires agencies to "establish appropriate administmti,\'e, technical and\nphysical safeguards to ensure the security and confidentiality of records and to protect against any\nanticipated threats or hazards to their security or integrity which could result in substantial harm,\nembarrassment, inconvenience, or unfairness to any individual on ,,,,hom the information is\nmaintained," 5 U.S.c. \xc2\xa7 552a (e) (10). The Privacy Act limits agencies to "maintaining only such\ninformation about an individual as is relevant and necessary to accomplish a purpose of the agency\nrequired to be accomplished by statute or Executive order of the President," 5 l.".S.C. \xc2\xa7 552a (e) (1).\n\nThe E-Government Act of 2002 strives to enhance protection of personal information in\ngovernment information systems, by requiring the agencies to conduct PIAs. A PIA is an analysis of\nhO\\v personal information is collected, stored, shared, and managed in a federal system.\n\nSection 522 of the 2005 Consolidated Appropriations Act for Transportation and Treasnry, Public\nLaw 108-447, Division H, provides privacy requirements for NARA, including the implementation\nof privacy policies and procedures for public and employee data. OMB Memorandum-OS-08 also\nrequires each agency to designate a Senior Agency Official for Privacy. For NARA, the General\nCounsel also selves as the Senior Agency Official for Privacy.\n\nNARA\'s llse ofpersomilly identifiable inionwltion andrelatedpolicies andprocedllres\n\nNARA is an independent agency \\vithin the executive branch of the Federal Gmremment\nresponsible for preserving, protecting and providing access to the records of our Government.\nNARA also creates and receives a ,vide range of PH in the course of functioning as an executi\'\\\'e\nbranch with 3,229 employees. NAR..A.. also collects information on its contractors, volunteers and\nresearchers who nse the facilities and make requests for archival records as well as indiyidnals who\ndonate historical records or make financial contributions.\n\nThe NARi\\. Privacy Program is housed \\vithin NARA.\'s Office of General Counsel (OGC), located\nin Archives headquarters. The goal of the NARi\\. Prlyacy Program is the protection of PlI. The\nprogram provides leadership and assistance to NAILA. \'5 divisions, nine regional archiyes and twelve\nPresidential libraries around the country on issues related to the Privacy Act of 1974, E-Gm\'emment\nAct of 2002 and related OMB privacy guidance.\n\nThe NARA Privacy Program has an on-going initiatiw to grow the skills, knO\\vledge and capabilities\nof the di"islon heads and system owners.\n\nIn conformity ,vith the 2005 Consolidated Appropriations Act, NARA\'s Senior Privacy OffIcial\npublished a Report of Senior Agency OftIcia1 for Privacy on September 2006. This report was sent\nto the NARA OIG and to Congress. Tills report outlines the following areas:\n\n\xe2\x80\xa2\t   PrO[fSS  of LfJllfbfding PlinN] Rel\'ieJl\': Includes an O\\"elYleW of NAR...,\\\'s pnvacy management\n    program and determination of systems containing PlI.\n\xe2\x80\xa2 \t l\\\'"..-iRA USt\' qj"PII. Pril\'tu] and Data ProtectiON Po/irie.. and Proadf1reJ: Includes an oyelyiew of efforts\n    used to track PH, NARA privacy officer\'s compliance efforts, NARA-wide policies and\n    procedures developed or drafted to date in compliance with various privacy laws, regulations\n    and 01IB gnidance, and other key priyacy lllltiatives.\n\n\n\n                                                        3\n\n\x0cNARA\'s mission is to safeguard and preselTe records of the CS Goyernment. In doing so, NARA\nis required to collect and nse a significant amonnt of personal information from employees and the\npnblic for both administrative and operational initiatiyes. Also, presidential records and other\narchival records \\vhich are classified as PI! are preselTed within the Archives. To ensure\ninformation collected and maintained is secure, NARi\\ has appointed an agency wide priyacy officer\nlocated within the OGe. In addition to providing leadership on NARA-wide policies and\nprocedures, the NARA Priyacy Program works collaboratiwly with NH to gu.ide and support their\npriyacyawareness and compliance efforts. The methodology is based upon the follO\\ving:\n\n\xe2\x80\xa2   Establish the priority, authority, and responsibility,\n\xe2\x80\xa2   Assess current privacy en,-ironment,\n\xe2\x80\xa2   Organize resonrces necessalY for the project\'s goals,\n\xe2\x80\xa2   Develop policies, procedures and practices,\n\xe2\x80\xa2   Implement policies, practices and procedures,\n\xe2\x80\xa2   l\'.Iaintain the policies, practices and procedures,\n\xe2\x80\xa2   Manage the exceptions and/or problems with the policies, practices and procedures.\n\nIn compliance with this requirement, NAR.,.-\\ undertook a review of the use of PH and pri,-acy\npolicies and procedures at the agency wide level.\n\nThe NARA priyacy officer in conjunction with the NH maintains an un-entory of allulformation\ntechnology systems that collect, use, and share PlI. As of the date of this report, there are 19 such\nsystems.\n\nGiven the signiticant amount of sensitiye PI! data handled by the NARA, dIe NAR..A Priyacy\nOfficer continually works to track PI! nse and identify weaknesses dlat may require corrective action\nat the program or system leveL A critical part of tius process involves the review of PIAs and\nSORNs (if applicable) that are prepared by each PI! system owner. In some cases, however, a PH\nsystem may be ex.empt from the requirement to perform a PIA if dus system was created or\nimplemented prior to dle enactment of the E-Govemment Act of 2002. The NARA Privacy Oftice\nmaintains a list of all PI! systems that ha,\'e completed a PIA or SOR..\'\\T and is responsible for posting\nall final PlAs and SOR..\'\\fs on the NAR.,.J\\ Privacy Program web page.\n\nSCOPE AND METHODOLOGY\n\nNARA\'s OIG contracted \\,-ith Clifton Gunderson LLP to conduct an audit of NARA\'s privacy and\ndata protection policies and procedures in compliance with Section 522. The objective of tlus\nreYlew was to assess the progress ofNAR..;\\.\'s Privacy Office UI canying out its responsibilities under\ntederallaw, more specifically, to determine whether: (1) the necessity of using personally identifiable\nulfonnation for processing was properly e,-alnated; (2) NARA had established adequate procedures\ngovenllilg the collection, use and security of personally identifiable infomlation; and (3) NARA\nproperly complied with the prescribed procedmes to pre,\'ent unauthorized access to and unultended\nuse of personally identitlable information.\n\nTo address tIus objective, we reviewed federal statutes including dIe PriYacy Act of 1974 and\nSection 208 of the E-Gowmment Act, to identify responsibilities of NARA\'s Privacy Office. \\\\Ce\nreviewed and analyzed privacy policies, guidance, and reports, and intenTlewed with ofticials from\nthe Privacy Oftice. The personnelultelyie,ved ulClnded the Senior Privacy Officer and the Pri,\'acy\n\n\n\n                                                   4\n\n\x0cAct OftIcer to identify pnncy oftIce\'s plans, priorities, and processes for implementing its\nresponsibilities using available reSOUlces.\n\n\\\'\\\'e further evaluated the Privacy OftIce policies, guidance, and processes for ensuring compliance\nwith the Pri-\'tacy Act, and d1e E-Government Act. \\\'\\!e analyzed the SOfu\'\\Js and PIA development\nprocesses and assessed the progress of the office in implementing these processes. This analysis\nincluded analyzing the Pri,"acy Office\'s overview of PL!\\.s developed and assessing the overall\nquality of published PIAs.\n\nPerform an asseSSIllent ofNARA TS privacypolicies\n\\ve reyiewed NARA information management practices for protection of PIT, as they relate to the\nguidelines set forth in Section 522-d of the 2005 Goyernment Appropriations Act. Public Law 107\xc2\xad\n347, the E-Government Act of 2002, defines "identifiable form" as t1~r representatiotJ ofil~frmllatio!l that\npermits the idetltity ~l an indilidltal to JJlhollJ the i!~lortl1ation applies to be reasonablY iI!femd ~y either direct or\nindired means. \\\'{!e performed procedures to assist the OIG in evaluating NARA\'s information\nmanagement practices in order to:\n\n     A. \t Determine the accuracy of the descriptions of the use of information in identitlable forml\n          while accounting for current technologies and processing methods~\n     B. \t Determine the effectiveness of princ) and data protection procedures by measuring actual\n          practices against established procedural gu.idelines;\n     C. \t Determine compliance with the stated privacy and data protection policies of NARA and\n          applicable laws and regulations;\n     D. \tDetermine whether all technologies used to collect, use, store, and disclose information in\n          identifiable form allow for continuous auditing of compliance wid1 stated privacy policies\n          and practices governing the collection, nse, and distribution of information in operation of\n          the program, and\n     E. \t Pro,"ide NARA with recommendations, strategies, and specifIC steps, to improve privacy and\n          data protection management.\n     F. \t Evaluate NARA\'s nse of information in identifiable form.\n\n\\\\Te examined NARA\'s PII policies, practices and data protection procedures and mechanisms in\noperation. Specifically, the tasks focused on:\n\n};- a review of NARA\'s technology, practices and procedures with regard to the collection, llse,\n     sharing, disclosure, transfer and storage of information in identitiable form;\ny. \t a leview of NARA\'s stated privacy and data protection procedures with regard to the collection,\n     nse, sharing, disclosure, transfer, and security of personal information in identifiable form\n     relating to NARA\'s employees and the public;\n};-\t a detailed analysis of NAR..>\\\'s internet, network and \\X\'ebsites tor privacy vulnerabilities,\n     including l)Non-compliance with stated practices, procedures and policies; and 2) Risks tor\n     inadvertent release of information in an identitlable form from NARA\'s website; and\n\n\nlinformation in identifiable form is information in an IT system or online collection: (i) that directly identifies an\nindividual (e.g., name, address. social security number or other identifying number or code, telephone number, email\naddress, etc.) or (Ii) by which an agency intends to identify specific individuals in conjunction with other data\nelements. i.e., indirect identification. (These data elements may include a combination of gender, race, birth date,\ngeographic indicator, and other descriptors).\n\n\n                                                            5\n\x0c};- a re,\'iew of NARA\'s compliance ,vith section 522-d of the Omnibus Spending Bill for\n    Transportation, Treasmy, Independent Agencies, and General Government Appropriations Act\n    of 2005;\n)- an analysis of the extent to "vhich the Privacy Report tiled with the OIG is accurate, account\'s\n    for NARA\'s current technologies, information processing, and whether all areas are consistent\n    with the Consolidated Appropriations Act, 2005, Division H, Titie V, Section 522;\nj; an assessment of the reasonableness of NARA internal legal assessments of compliance\n    requirements for privacy regulations, laws and other federal guidelines; and\n};- an assessment of whether Pri,,\'acy Impact Assessments are completed and approved for a sample\n    of required systems.\n\nThe E-Gowmmel1t Act of 2002 requires agencies to conduct a PIA either (1) before developing or\nprocuring information technology systems or projects that collect, maintain or disseminate\ninformation in identifiable form or (2) when initiating a new electronic collection of information in\nidentifiable form for 10 or more persons (excluding agencies, instmmentalities or employees of the\nfederal government). In general, PLi\\s are required to be performed and updated as necessalJ where\na system change creates new privacy risks, for example, when converting paper-based records to\nelectronic systems. On the other hand, no PIA is required "vhere (1) information relates to internal\ngovernment operations, (2) has been previously assessed under an evaluation similar to a PIA, or (3)\nwhere privacy issues are unchanged.\n\nTo accomplish the abm\'e-mentioned objectives, we:\n\n\xe2\x80\xa2 \t Reviewed NARA\'s report to the OIG dated September 27, 2006. Tius report was prepared in\n    fulfillment of Section 522-c of the Appropriations Act. " .. . Each agm~T .rha!!prej)are a written repott\n    ofits lise of infortllation in an idelltiftableform. alolTg lrifb itsP;ira9\' and data protection polides andprocedl1res\n    and record it ll\'ith the Illpector Gmeml of the agency to .ren\'e as a Vetlcbtllark for the agmcy. Eacb report sball\n    be signed I:J\' tbe agetJt)\' j)rira9\' qfJirer to rerif), that the agenq intends to Cfltllp!y !t\'itb the procedures iff tbe repOl1.\n    B)\' signing tbe report. the p,lira[y officer also 1\'el?,11es that the a,gent)\' is M!l IfsifTg it!forfllatioll ill idef/tijlable fot7J1\n    as detailed in tbe repOit. "\n\xe2\x80\xa2 \t Verified that NARA had identified and maintained an inventmy of information systems\n    containing PII and systems requiring PIAs and had conducted PIAs for electrOIuc infonnation\n    systems.\n\xe2\x80\xa2 \t Reyiewed a sample of PIAs for tile systems selected nnder reyiew and noted the follmving:\n    o \t \\\\"hat information was collected (e.g., nature and sOllke).\n    o \t \\\'{,\'hy the information was collected (e.g., to determine eligibility).\n    o \t Intended use of the inform,ation (e.g., to veri\xc2\xa3)\' existIng data).\n    o \t \\\\\'ith whom the information ,vas shared (e.g., another agency for a specified programmatic\n         purpose).\n    o \t What opportUluties individuals had to decline to provide information or to consent to\n         palticular nses of the information (otiler than reqnired or authorized uses), and how\n         indi,tiduals commnnicated consent.\n    o \t How the information was secmed from abusive use (e.g., administrative and technological\n         controls).\n\xe2\x80\xa2 \t Selected a representatiye sample of systems and tested tec1uucal controls to achieye the PII\n    protection objectives.\n\xe2\x80\xa2 \t Reviewed tile natnre and use bfPII, to determine ,vhether a SORL\'J "vas required and if required,\n    whether one was published. \\X:\'e fu.rti1er rev\'iewed NARA\'s publication ofSORL""s in the Federal\n    Register and verified that they contained only information about individuals that was" reiertlllt and\n\n\n                                                                    6\n\n\x0c   lJf(t\'J:\\{)~J\'" to accomplish ::\\TARA.\'s purpose. W\'e Yeritled that th.is information was updated as\n   necessary.\n\nFor the Fiscal Year 2008 Privacy Assessment, we were not engaged to and did not perform\nprocedures to determine if th.e inyentory of systems containing PH data was exhaustive and if\nNARA. had performed procedures to ensure all NARA. IT systems had been reviewed for existence\nof PH inf\'Ormation. \\Xre re,"ie,t;ed the inventory of 19 PH systems received from the NARA.\nInspector General ot11ce. From tlus population, ,ve selected a representative sample of 15 systems\nfor testing, 13 PH systems and 2 non-PH systems. The results and exceptions noted in this report\nare based on this sample.\n\n\nDETAILED RESULTS OF REVIEW\n\n1. \t Although the NARA Privacy ORice and O/lice of Infonnation Senices (NH) have\n   establishedpolicies ;mdprocedures to protect lVARA\'s PII systems and data, the Privacy\n   O/lice does not properly monitor its priv:lc.v processes for qllulity compli\'lflce with the\n   prmisions ofSectiOIl 522.\n\nThe NARA. Privacy Office has made sigluficant progress in addressing its statutory responsibilities\nunder the General Government Act by developing processes to ensure implementation of privacy\nprotections in agency ,vide programs. For example, the Privacy Oftlce has established processes t\'Or\nensuring agency wide compliance with the PIA requirement in the E-Government Act of 2002.\nInstituting this frame,,\'ork has led to increased attention to privacy requirements on the part of\nagency wide components, contributing to an increase in the number of PIAs issued.\n\n\\X:1ule substantial progress has been made in these areas, more ,,\'ork needs to be done in other\nimportant aspects of NARA.\'s prinK)\' protection processes. The details of the matter are as follows:\n\nGeneral conditions found during the audit\n   .,. ::--Jo formalized policies and procedures are in place for Personally Identifiable Information\n       wluch:\n                 explicitly identify the nues for determining whether physical removal is allowed\n                 require the information be ennypted and that appropriate procedures, training, and\n                 accountability measures are in place to ensnre that remote nse of this encrypted\n                 information does not result in bypassing the protections pro"ided by the ennyption.\n                 explicitly identify the mles for detemuning whether remote access is allowed for\n                 personally identitlable information tllat can be removed,\n                 require that tius access be accomplished via a virtual private network (VPN)\n                 connection established using agency-issued authentication certificate(s) or hardware\n                 token, when remote access is allowed,\n                 identify the mles for detemulung whether download and remote storage of the\n                 information is allowed (For example, the policy cmud permit remote access to a\n                 database, but prohibit downloading and local storage of that database.), when remote\n                 access is allowed.\n\n\n\n\n                                                  7\n\n\x0cM 06-15, ~/emor{mdllm for Heads of Departmellts alld AgeIIcies for Safegllilrdillg\nPersonally Idelltifi:lble Illformation states: "This memorandum reemphasizes your many\nresponsibilities under 1a\\v and policy to appropriately safeguard sensitive personally identifiable\nintormation and train your employees on their responsibilities on these areas. In particular, the\nPrivacy Act requires each agency to establish \'appropriate administrative, technical and physical\nsafeguards to insure the security and confidentiality of records and to protect against any anticipated\nthreats or hazards to their security or integrity which could result in substantial harm,\nembarrassment, inconvenience or unfairness to any individual on whom information is maintained."\n\n.l\'l!1 06-16, }t;femoral1dllm for tile Heads of Departmellts a1Jd Agencies for Protection of\n Sensitive Age11CJl Information states: "(1) Encrypt all data on mobile computers/devices which\ncany agency data unless the data is detennined to be nOll-sensiti,-e, in \'>vriting, by your Deputy\nSecretary or an indiyidl1al he/she may designate in writing. (2) Allow remote access only with two\nfactor authentication where one of the factors is provided by a deyice separate from the computer\ngaining access (3) ese a time out function for remote access and mobile devices requiring user re\xc2\xad\nauthentication after 30 minutes of inacti"vity (4) Log all computer readable extracts from databases\nholding sensitive information and ,-erify each extract including sensitive data has been erased within\n90 days or its use is still required.\n\nRecommendations;\n\n\\V\'e recommend that NARA. management:\n     )r Deyelop and tonnalize NARA policies which explain the rules for determining whether\n        physical removal/remotely accessing Pll is allowed and the appropriate procedures involved.\n\n2. \t NARA Tecl1I1ical Controls related to tile protectiOIl ofpersonally identifiable lllformatioII\n     11eed to be strel1gtbened.\n\nThe NARA Priyacy Office has made significant eftol1 in carrying out its statntmy responsibilities\nand its related role in ensuring compliance with Section 522 of the General Government\nAppropl-iatiol1s Act, notably by establishing a framework for securing data contained in privacy\nsystems. However, our revie,,\' of a sample of 20 privacy systems highlighted that techn.ical control\nover access to these systems needed to be strengthened. The details are as follows:\n\n);.-\t Encryption mechanisms are not in place on pOltable devices containing privacy data such as\n      laptops, pmtable digital assistants (PDAs) or thumb drives le~l\\-ing the NARA premises.\n,. Two factm authentication mechanisms are not in place for remote access login.\n~ Risk assessments for Badging and Access System (B&A) and Automated Collection\n      :tvIanagement Database (10/ ACMD) is outdated and has not been updated at least eyery three\n      years as required by federal mandates.\n\nM 06-16, Memor;mdllIll for tile Heads of" Departments a1Jd Agencies for Protection of"\nSensitive Agency Informatio11 states: "(1) Encrypt all data on mobile computers/devices which\ncarry agency data unless the data is detenruned to be non-sensitive, in writing, by your Deputy\nSecretary or an indi\'l:idual he/she may designate in writing. (2) Allow remote access only \\\\-ith two\nfactor authentication where one of the factors is provided by a device separate from the computer\ngaining access (3) L se a time out t,mction for remote access and mobile devices reqniring nser re\xc2\xad\nauthentication after 30 minutes of inactivity (4) Log all compnter readable extracts from databases\n\n\n\n\n                                                  8\n\x0cholding sensitive information and verify each extract including sensiti"e data has been erased within\n90 days or its use is still required.\n\nOA1B Circlllar A-130, Appendiy III, j}[.lI1:lgement ofFederal InfonnatiOIl Resollrces states:\n "Management anthorization should be based on an assessment of management, operational, and\ntechnical        controls. Re-anthorization should occur prior to a significant change in processing,\nbut at least every three years. It should be done more often where there is a high risk and potential\nmagnitude of harm."\n\n NIST 800-53: Recommended Security Controls Jor Federal hlJonnation Systems\n states: "Based on the results of the updated risk assessment, tile organization should determine\n \\\\Yhat additional security controls and!or control enhancements may be necessary to address the\n \\\'111nerability (or vnhlerabilities) related to the event or what corrective actions may be needed to fix\n currently implemented controls deemed to be less than effective. The security plan for the\n information system should then be updated to reflect these corrective actions."\n\n NIST 800-37: Gllide for tbe SecurifJ\' CertiJicatiOIl and Accreditation ofFederal hlformation\n Systnns states: "TIle FIPS 199 security categolT should be considered during the risk assessment\n to help guide the information system O\\vner\'s selection of security controls for the information\n system. Security categorization information is typically documented in the system identification\n section of the system security plan or included as an attaclullent to the plan."\n\n1\\-[ 07-16 AlemorandllIl1 tor tbe Heads oj" Execlltive Departments aIld Agencies for\nSalegllarding Against and RespOIlCmlg to tbe Bre;lcJl ofPersoIllul.,v IdeIltifiable Information\nstates: "Assign an impact level to all information and intonnation systems: Agenc.ies must follO\\v the\nprocess outlined in FIPS 199 to categorize all intormation and information systems according to the\nstandard\'s three levels of impact Agencies should consider categorizing sensitive personally\nidentifiable information as moderate or high impact."\n\nRecommendations:\n\nW!e recommend that NARA management:\n    ..,. Ensure encryption mechanisms are in place tor 011 all pOltable devices containing privacy\n         data such as laptops, thumb drives and PDAs.\n    ..,. Implement two factor authentications for remote access logins.\n    , Ensure risk assessments for the Badging and Access System (B&A) and Automated\n         Collection Management Database (IO/AC\\ID) and all major applications and general\n         support s~\'stems ale conducted at least every three years or upon significant changes in its\n         operating em-ironment, prior to its expiration.\n\n\n\n\n                                                    9\n\n\x0c                  _National\n                   .._ _"\'-_ _Archives\n                              - - - _ .__\n                      .\xe2\x80\xa2....." ..""\'._....\n                                          and\n                                           __\n                                              Records\n                                               _ - - - Administration\n                                             ......    --------_.      ._... ............. ..\n                                                                              ,,                .....                                 \n\n                                                                                                        700 Pennsylvania Avenue, NW\n                                                                                                         Washington, DC 20408-0001\n\n\nDate:      September 17, 2008\n\nTo:        Paul Brachfeld, NARA Inspector General\n\nfrom:      Allen Weinstein, Archivist of the United States\n\nSubject:  Response to Draft Audit Report 08-15, Clifton Gunderson LLP (CG) 2008 Review of\nNARA\'s Compliance with Section 522 of the Consolidated Appropriations Act of 2005 (Policies,\nProcedures, and Practices for Protection ofPersonally Identifiable Information\n\n           Thank you for the opportunity to review and comment on the draft audit report 08-15 on\n           NARA\'s compliance with Personally Identifiable Information (PU) requirements. We\n           appreciate the efforts of your staff and all parties associated with this audit process.\n\n           We are pleased that CG notes the proactive and significant progress that the NARA Privacy\n           Office has made in addressing our statutory responsibilities by developing processes to ensure\n           implementation of privacy protections in agency wide programs. We concur with the need to\n           develop and formalize NARA policies regarding physical removal and remote access ofPII\n           with corresponding procedures. Efforts to update our privacy related policies are already\n           underway.\n\n           . We are also pleased that CG comments on the framework we have established for securing\n             data in privacy systems. We concur with the need for more technical controL Risk\n             assessments are part ofour Certification and Accreditation process. We are near the end of a\n             business impact analysis on our systems that "rill help us ensure that risk assessments are\n             completed as appropriate for each system. Efforts related to encryption and t\\vo factor\n             authentication are already underway.\n\n           As new requirements for personally identifiable information are implemented by OMB, we\n           will make every effort to comply in the prescribed timeframes. Again, we would like to thank\n           the Otlice of Inspector General and Clifton Gunderson LLP for working in a professional and\n           dedicated manner with NARA h1aff.\n\n\n\n\n            ALLEN WEINSTEIN\n            Archivist ofthe United States\n\n\n\n\n                                                                      10\n                                                      NARA\'s web site is http://www.archives.gov\n\x0c                  National Archives and Records Administration\n                  Office ofthe Inspector General\n                                                                                 8601 Adelphi Road, Suite 1300\n                                                                                 College Park, Maryland 20740\n\nDate       September 30, 2008\n\nTo         Allen Weinstein, Archivist of the United States\n\nFrom       Paul Brachfeld, Inspector General\n\nSubject:   Management Letter 08-016: Security Response at A-I\n\n           This memorandum is intended to ensure effective, tested security measures are in place to protect\n           the safety and integrity of the National Archives building (A-I), staff and visitors in the heart of\n           our nation\'s capital. These concerns are neither theoretical nor abstract, but grounded in direct\n           observation of events that unfolded the morning of September 23, 2008 when security\n           vulnerabilities were exploited allowing protesters to gain access to and remain in control of the\n           southwest comer ofthe Archives building on Constitution Avenue. NARA\'s response to this\n           illegal trespass and occupation (DC Code Section 22-302) demonstrated a lack of planning,\n           preparation, coordination and training on the part of security personnel entrusted with the\n           paramount duty of protecting NARA structures, persons and holdings. Based upon the defined\n           "success" of the demonstrators, the potential for copy-cat actions exists with absolutely no\n           assurance they will be as docile as this event. Therefore, it is essential security defects be\n           addressed expeditiously.\n\n           In an article published in the Baltimore Chronicle and Sentinel, one of the "Veterans for Peace"\n           demonstrators (identified as Ellen Barfield) who participated in the self-described "Ledge-In"\n           defines the mode of their ruse that allowed them unchallenged access to the building perimeter.\n           Garbed as construction workers they circumvented the moat surrounding the building. Once\n           secure, Ms. Barfield states "it was interesting that the Archives seemed to have no contact with\n           any ofthe .. .law enforcement entities in DC even though it is a Federal Building." Per Ms.\n           Barfield they were even able to reinforce their sundries by having a supporter surreptitiously\n           smuggle water to them when their supplies ran low, despite the fact security had allegedly\n           quarantined the area.\n\n\n\n\n           Additionally, the protesters were allowed to set their protest time schedule of twenty-four hours\n           and then were permitted to leave without arrest or consequence. This type of capitulation will\n           only encourage further trespassing. As one of the protestors, Elliott Adams, has been quoted as\n           saying "We considered staying longer this time but we are not prepared for longer than\n           this...although we may be back again, soon."\n\n\n\n\n                                       NARA \'s web site is http://www.nara.gov\n\x0cAll NARA staff, visitors and stakeholders should be concerned as to the events of September\n  rd\n23 , and their future implications at A-I and other NARA facilities including A-2 in College\nPark, Md. It is imperative that responsible NARA officials take immediate steps to develop,\nimplement and test security measures addressing the vulnerabilities so clearly exposed and\nexploited by a handful of protesters at A-I.\n\n\n\n\nPaul Brachfeld\nInspector General\n\n\n\n\n                               NARA\'s web site is http://www.nara.gov\n\x0c                 National Archives and Records Administration\n                                                                                 700 Pennsylvania Avenue, NW\n                                                                                  Washington, DC 20408-0001\n\n\nDate:     September 17, 2008\n\nTo:       Paul Brachfeld, NARA Inspector General\n\nFrom:     Allen Weinstein, Archivist of the United States\n\nSubject:  Response to Draft Audit Report 08-15, Clifton Gunderson LLP (CG) 2008 Review of\nNARA\'s Compliance with Section 522 of the Consolidated Appropriations Act of2005 (Policies,\nProcedures, and Practices for Protection of Personally Identifiable Information\n\n          Thank you for the opportunity to review and comment on the draft audit report 08-15 on\n          NARA\'s. compliance with Personally Identifiable Information (PH) requirements. We\n          appreciate the efforts of your staff and all parties associated with this audit process.\n\n          We are pleased that CG notes the proactive and significant progress that the NARA Privacy\n          Office has made in addressing our statutory responsibilities by developing processes to ensure\n          implementation of privacy protections in agency wide programs. We concur with the need to\n          develop and formalize NARA policies regarding physical removal and remote access ofPII\n          with corresponding procedures. Efforts to update our privacy related policies are already\n          underway.\n\n          We are also pleased that CG comments on the framework we have established for securing\n          data in privacy systems. We concur with the need for more technical control. Risk\n          assessments are part of our Certification and Accreditation process. We are near the end of a\n          business impact analysis on our systems that will help us ensure that risk assessments are\n          completed as appropriate for each system. Efforts related to encryption.and two factor\n          authentication are already underway.\n\n          As new requirements for personally identifiable information are implemented by OMB, we\n          will make every effort to comply in the prescribed timeframes. Again, we would like to thank\n          the Office of Inspector General and Clifton Gunderson LLP for working in a professional and\n          dedicated manner with NARA staff.\n\n\n\n\n           ALLEN WEINSTEIN\n           Archivist of the United States\n\n\n\n\n                                                    10\n                                   NARA \'s web site is http://www.archives.gov\n\x0c'